Share

Appthority has discovered a significant data exposure vulnerability we’ve named Eavesdropper that affects almost 700 apps in enterprise environments. The vulnerability is caused by including hard coded credentials in mobile applications that are using the Twilio Rest API or SDK. By hard coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings.

The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they’ve developed with the exposed credentials.

Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain. Although Appthority has not extensively analyzed the recordings out of respect for privacy, due to the nature of the apps we believe that the data may potentially include business and personal discussions such as negotiations, pricing discussions, confidential recruiting calls, proprietary product and technology disclosures, health diagnoses, market data, and M&A planning. A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data.

Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware. An Eavesdropper attack is possible simply because developers have failed to follow Twilio’s documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications.

Appthority first discovered the Eavesdropper vulnerability in April, 2017 and notified Twilio in July about the exposed accounts. We found the Eavesdropper vulnerability on over 685 enterprise apps (44% Android, 56% iOS) associated with 85 Twilio developer accounts. As of the end of August 2017, 75 of these apps were available on Google Play, and 102 were on the App Store. The affected Android apps had been downloaded up to 180 million times. Approximately 33% of the Eavesdropper apps found are business related. The exposure has been present since 2011. The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages.

Eavesdropper: Anatomy of An AttackAn Eavesdropper attack only requires three steps to execute: reconnaissance, exploitation, and exfiltration.

Reconnaissance: The attacker searches for apps that employ Twilio. Some apps advertise that they do so (e.g. RingDNA); others can be found by downloading apps that have messaging, recording, or call functionality.

Exploitation: Using a service such as VirusTotal or a tool such as YARA, find apps that identify strings inside apps and search for the string “twilio”. Identify Twilio credentials, which consist of a Twilio ID and a token/password which will generally be within 100 bytes of each other and near the api.twilio.com call. The Twilio ID is a 34-character string beginning with “AC”. The token/password is also a 32-character string, e.g. abcdef1234567890abcdef1234567890. Here’s an example of what it looks like (sensitive data obfuscated):

oReference 00bcb71e contains the Account IDoReference 00bcb741 contains the Account tokenoReference 00bcb762 contains the Account ID, required for the URLoReference 00bcb7be contains a Twilio phone numberExfiltration: There are many methods to access the account and browse or exfiltrate data. Here’s an example of using cURL to access all inbound calls in the account from August, 2017:$ curl -G https://api.twilio.com/2010-04-01/Accounts/ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Usage/Records.json \-d “Category=calls-inbound” \-d “StartDate=2017-08-01” \-d “EndDate=2017-08-31” \-u ‘ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:your_auth_token’Note how easy this attack is compared to, for example, an APT attack using the 7-step cyber kill chain: The attacker only needs to perform reconnaissance (step 1), exploitation (step 4) and exfiltration actions (step 7). There is no need to perform weaponization or the other steps as the files are undefended.Once the messaging and audio files have been exfiltrated, the attacker can run a simple script to convert audio files to text and search the text for keywords that would lead to proprietary or sensitive data.

Unfortunately, Eavesdropper is just the latest data leakage discovery by our Mobile Threat Team (MTT). The MTT also recently identified the HospitalGown vulnerability which exposed a massive 43 terabytes of data (some of which was ransomed) on over 21,000 backend servers. And we’ve highlighted risks associated with platform services, such as from Uber and the low adoption of encryption standards such as App Transport Security. These are just a few examples of data and privacy risks that require a thorough analysis of mobile apps to identify mobile threats to enterprise data and privacy.